HIPAA-Cracy

Authors

Carl E. Schneider, University of Michigan Law SchoolFollow

Document Type

Response or Comment

Publication Date

1-2006

Abstract

The Department of Health and Human Services has recently been exercising its authority under the (wittily named) "administrative simplification" part of the Health Insurance Portability and Accountability Act to regulate the confidentiality of medical records. I love the goal; I loathe the means. The benefits are obscure; the costs are onerous. Putatively, the regulations protect my autonomy; practically, they ensnarl me in red tape and hijack my money for services I dislike. HIPAA (a misnomer-HIPAA is the statute, not the regulations) is too lengthy, labile, complex, confused, unfinished, and unclear to be summarized intelligibly or reliably. (Brevis esse laboro, obscurus flo.) However, a covered entity is any health plan or "health care provider" that "transmits any health information in electronic form." If HIPAA has a general rule, it is that (1) a "covered entity may not use or disclose protected health information except as permitted," (2) the entity must "make reasonable efforts to limit protected health information to the minimum necessary," and (3) the covered entity must require its "business associates" to "appropriately safeguard the information." With plentiful exceptions and restrictions, entities may use or disclose information "for treatment, payment, or health care operations."